How Attackers Steal Passwords

Many people don’t understand how easy it is for attackers to take advantage of weak passwords, and therefore don’t use a password manager or other means to make their passwords stronger. This post describes 9 common ways passwords get captured, roughly ordered from most to least common. Proper use of a password manager can thwart some of these attacks and limit damages from most other types of attacks.

#1: You Hand it Over Voluntarily

People frequently hand over their passwords via phishing, other forms of social engineering, or when a person or entity asks for temporary use of a password.

Protection: The simplest defense is to NEVER share your password for any account with any person, organization, or web site. An additional good defense is to develop “net smarts” analogous to “street smarts” to avoid phishing scams or other forms of social engineering. If you must temporarily share your password (i.e. to import contacts into Facebook), then change your password immediately after its temporary use is complete.

Damage Control: Your damages are limited to one account if you have a unique password for each account. Immediately change the password of the affected account.

#2: You Hand it Over Unknowingly

This overlaps with the previous attack. You think you are on the web site you intended but you actually mistyped it by one character, you clicked a bad link to get there, or you were tricked by tabnapping. So you end up on a fake or spoof web site that looks legitimate. When you log in, it collects your credentials then passes you on to the real site. A variation on this theme is an attack which layers extra fields over a legitimate web site. You are tricked into typing private personal information such as birthday, mother’s maiden name, social security number, etc. and then this information is used to “recover” your account (see #7 below).

Protection: A good defense against this ploy is to only login to a web site by selecting it from your password manager’s drop down menu (even if the tab was one you thought you opened yourself). This will automatically log you in to the correct site, which the password manager stores. Another type of defense is for your browser to use a security service that warns you when you might be about to open a hazardous web site – but this may slow down browsing.

Damage Control: Your damages are limited to one account if you have a unique password for each account. Immediately change the password of the affected account.

Protection: A simple and effective defense for users is to only use long, randomly generated passwords. How long? 15 characters. Rainbow tables easily crack passwords 8 or fewer characters long and in some cases up to 14 characters.

Damage Control: In the unlikely case that a rainbow table attack manages to crack one of your 15 character passwords, at least your damages will be limited to one account if you have a unique password for each account. Change the password of any account that becomes compromised due to mass theft.

#4: Brute Force

Brute Force refers to discovering passwords through trial and error, similar to trying every possible combination on a lock. The most well known form of brute force attack is for password cracking software to methodically try millions of passwords on one specific user name on a specific account. A typically weak password can be cracked in less than a day using this method.

Security conscious online vendors like banks or e-mail services provide some protection against such brute force attempts by denying access if there are too many attempts per hour. However, different forms of brute force can be used to get around these safeguards. A common example is software which automatically logs in to millions of different accounts per day by combining popular user names, passwords, and web sites (i.e. try password1 at Jsmith@gmail.com, 123456 at dj@facebook.com, qwerty at Mrodriguez@yahoo.com, etc.). As such methods becomes more widely adopted, it would not be surprising if nearly all accounts with short user names and short passwords get compromised.

Brute force is also used as a supplementary attack after a first password is captured. For example, if the password badpassword1 was captured by phishing, brute force can be used to try similar passwords on other accounts.

Protection: Brute force attacks are highly unlikely to crack very strong passwords. So just use strong passwords. I suggest randomized 15 character jumbles.

Damage Control: Your damages are limited to one account if you have a unique password for each account. Immediately change the password of the affected account.

#5: Eavesdropping: Keystroke Logger on Your Browser

Many people believe that nothing bad can happen to people who only visit safe, well respected sites. They are wrong. Malicious JavaScript can be injected into any browser on any system, visiting any web site. Keystroke logging is something that is done by some of these Javacript injections. In most browsers, malicious JavaScript can log keystrokes in all open tabs, until the browser is closed. Usernames and passwords entered during the session can be captured this way.

Protection: Keystroke logging via browser is growing more common but is unfortunately one of the more difficult threats to defend against. Defenses include:

Use Firefox in conjunction with the NoScript extension. While this is a strong defense, the overall complication of using NoScript (popups, whitelists, blacklists) is more of a hassle than the average Joe wants to deal with.

Some security suites attempt to defend against this threat with browser plug-ins, but these can dramatically slow down browsing.

A simpler option is to only access the internet using the Google Chrome browser, which is designed so that malicious JavaScript can be theoretically contained to a single tab. At least other tabs will be safe.

Some password managers such as RoboForm enter passwords and usernames in a way which most JavaScript keystroke loggers can not intercept.

None of these suggestions are sure to stop browser-based keystroke loggers, but if you implement one or more of these suggestions you’ll at least reduce your chances of getting your usernames and passwords logged by malicious JavaScript. The only perfect defense is to not connect to the internet at all.

Damage Control: Your damages are limited to logins captured while browsing, so long as you have a unique password for each account. Immediately change the password of the affected accounts. If using a browser-based or web-based password manager, you should also change your master password.

#6: Eavesdropping: Public WiFi Monitoring

Passwords are frequently stolen on public computers and over public WiFi connections, using free WiFi traffic monitoring software that is simple to operate.

Protection: Never log in to online accounts using a public computer. When using open WiFi hot spots, you should only log in with your own notebook with services that enforce secure log-ins and sessions (HTTPS), perhaps using the Firefox Add-on HTTPS Everywhere to help. It is far safer to access email and other accounts using your phone data service, if you have one.

Damage Control: If you discover that this type of attack has occurred, then you will need to change the password for all of your accounts as well as your master password. If you know exactly when the attack occurred, you can change passwords only for the accounts you used during that session.

#7: A Thief “Recovers” Your Account

Many accounts provide an automatic “password recovery” system that allows you to recover your account if you forget your password. But armed with basic personal information (easy to gather, as described here), a thief can “recover” your account and effectively take it over. An especially rewarding target is your e-mail account, where the attacker can find out all sorts of things to attack you further, such as user names and passwords that were e-mailed to you when you opened other accounts.

Protection: The best defense against this form of attack is to disable the “password recovery” option for all sensitive accounts. This option is not usually provided, so the next best defense is to supply only obscure or false information to the password reset mechanism for each account – don’t use information like your mother’s maiden name or the name of your pet which can be easily obtained by a thief.

Damage Control: Your damages are limited to one account if you have a unique password for each account. Use the password reset mechanism to get back control of your account. If that doesn’t work, you’ll have to contact customer service for that account. Once you get back control, disable the password recovery option. If this is not possible, change the questions/answers needed to verify your identity to something much more obscure or false.

#8: Eavesdropping: Keystroke Logger on Your System

Malware that manages to install itself on your system will often be able to log every keystroke and thus capture all of your user name and password information over time.

Protection: The best defense is a combination of typical safe computing practices such as never logging in on a public computer, installing software from trusted sources only, avoiding phishing attacks, only connecting safe devices to your computer, and keeping your operating system, browser, and security software all up to date. Using Mac OS X or Linux is also a way to lower risk, because most malware is written for Windows. Some password managers enter passwords and usernames in a way which most keystroke loggers can not intercept.

Damage Control: If you discover that this type of attack has occurred, then you will need to first regain control of your computer with the help of an expert, or use a different computer that you are sure is safe. Then change the password for all of your accounts as well as your master password.

#9: Malware Searches Your System

One class of malware searches your computer’s hard drive or memory for passwords that are not encrypted. Testing software provided by RoboForm and other password manager vendors demonstrates how Windows computers yield a surprisingly large number of passwords when searched this way.

Protection: Passwords stored and entered from within a password manager (that are protected by a strong master password) are immune from this type of attack.

Damage Control: If you discover that this type of attack has occurred, then you will need to first regain control of your computer with the help of an expert, or use a different computer that you are sure is safe. Then change the password for all of your accounts as well as your master password.

But What About . . .

The remaining ways passwords can be stolen are all rarely employed against home users. Such methods include looking over your shoulder as you type, exploiting vulnerabilities in password-handling software or the operating system, zero day exploits (taking advantage of a security flaw in software or operating systems before it is patched), hardware keystroke loggers, monitoring Bluetooth keyboard activity, acoustic cryptanalysis, wiretapping, dumpster diving, side-channel attacks, and undoubtedly a few more I haven’t mentioned.

If you are well protected against the more common attacks listed above, you’re already doing better than the vast majority of home computer users and partially protected against some of the unusual threats mentioned in this section. While security professionals working at large organizations need to guard against these possibilities, it is not worth the time, cost, or effort for a typical home user to guard against or even think about these more esoteric attack possibilities.

However, one possibility that worries some potential users of password managers is what happens if the master password is somehow stolen due to keystroke logging or some other means. While this is possible, I have been unable to find a single instance of a home user getting a master password stolen when using one of the best password managers. Why spend time worrying about something that hasn’t yet happened when there are tens of millions of passwords being stolen per year for the more common reasons listed above?

For those home users concerned about master password capture, two-factor authentication can insure that a captured master password is useless. It is available as on option with password managers LastPass and KeePass, but is unfortunately a bit complicated to implement for the average Joe.

And the Winner Is . . .

When it comes to security, there is no such thing as winning – it’s a matter of trying to minimize risk with as little effort as possible. For a home user, the amount of effort must be very small or it won’t happen. Correct use of a password manager takes little effort, yet effectively blocks attacks #2, #3, #4, #7, #8, and #9 above, as well as limiting damage to a single account from most other forms of attack. Combine that with typical security procedures and a reasonable amount of “net wisdom” and you get good results—a minimal amount of effort to greatly reduce the chance that your passwords will get stolen.

Share this:

4 Comments

Jordan

November 2, 2011 at 1:30 PM

Very nice. Will definitely bookmark.

I especially like how you don’t attempt to raise paranoia but are careful with your wording, as well as how you provide definitions. I do wonder, though, about the last one (malware searching one’s computer); I thought that only worked on old versions of Windows XP. Am I wrong? I usually am about this stuff, but I couldn’t really find any information for or against what I’d heard awhile back.

Hi Jordan – Thanks for your appreciation. I do take great care with wording. My wife (who has a technical writer background) helps me clean up my posts with her fabulous editing skills (most especially the password series). The vast majority of information about passwords on the internet is written with much haste and little thought, which makes it pretty hard for an ordinary person to get educated about passwords. Note that this post is just one part of a multi-post guide on passwords, with the index/intro article being:

As you note, XP (which just a few months ago fell below 50% market share world wide) is particularly notorious for its susceptibility to malware searching for passwords. However, it’s not just about the operating system. Any application can store its passwords as plaintext. Many past browser versions have stored passwords in plaintext or just using the Windows login key as the encryption key. For example, Internet Explorer:

I put “malware searching the computer” at #9 on the list because every survey (or discussion among security professionals) I’ve seen indicates that this is much less common than the the first 7 attacks. I’m not sure if #8 or #9 is more common. It’s nice to know that any of the more popular password managers guards against this particular form of attack.

Comcast has been having a lot of problems in the past year with hackers breaking into customer email accounts but I suspect it has more to do with the Sony hack than Comcast. My guess is that many people were using the same password for both their Sony Playstation account and their Comcast account. The stolen Playstation passwords could therefore be used to get into peoples’ Comcast accounts in cases where the 2 passwords were the same.